I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

the Chrome Web Store. Is this a good move that will improve security? What affect will this have on future apps?

Google Chrome extensions are small software programs that can customize and enhance the functionality of Google Chrome. Users can download them from the extensions gallery of the Chrome Web Store -- the online marketplace for Chrome apps, extensions and themes. While the extension platform unlocks powerful features that can increase the browser's functionality, it can also be abused by malware writers to capture user data, display ads or redirect users to malicious sites.

Prior to this latest policy update, users could install extensions directly from a developer's website. However, this installation method allowed malicious developers to avoid Google's automated review process -- which Chrome Web Store extensions have to pass through -- allowing them to distribute their malware directly to unsuspecting users. Google halted the silent installation of extensions by applications installed on a user's machine some time ago, as this was another method being used to distribute malware.

In response to growing concerns about Chrome users being infected by malicious extensions, Google has made a series of changes to its Chrome extension policy. In May last year, the company introduced a Chrome Web Store-only policy for Windows users whereby only extensions hosted on the Store could be installed; developers and Mac users could still install extensions from any source. Following this change in how extensions could be distributed to Windows users, Google saw a 75% drop in customer support help requests for uninstalling unwanted extensions. Despite these policy changes, some users were still being infected by malicious extensions -- the policy was not initially enforced on the Windows developer channel, so hackers started tricking users into the developer channel in order to install their malicious extensions.

Google's new policy mandates that all Windows and Mac users -- including developers -- must install Web browser extensions from the Chrome Web Store. There is also a new application-vetting feature called Enhanced Item Validation, which runs additional checks before an extension is published in the Store and made available to users. This is aimed at preventing malicious extensions such as Webpage Screenshot, which slipped through the existing vetting process. Google is also beta testing a software removal tool, which will scan and remove software that may cause problems with Chrome.

Chrome will continue to support local extension installs during development, as well as installs that follow Chrome for Work and Education's enterprise policy. Although some extension developers have complained that these moves penalize the genuine developer by making them go through the time and trouble of submitting their extension for review, it should help make the Chrome Web Store a safer place, and if users have more confidence in software available in the store, then developers can only benefit.

Enterprises can specify a list of extensions that will be pushed silently to their users via group policy, the registry or the master_preferences file. Extensions request permissions before they are installed, and administrators should understand what data an extension will access. There are 10 different permissions, divided into three alert levels -- a high-level alert means the extension will have access to everything on a user's computer and the websites they visit. This level of access needs to be fully risk-assessed.

Join the conversation

2 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Your password has been sent to:

Please create a username to comment.

Let's hope it works. I would hate to see them start charging for the extensions from the store. I do see the need for this to plug the holes where developers can create security flaws. It's amazing that things like this took so long to figure out.